BAYER PRIVACY POLICY FOR MEDICAL INFORMATION AND QUALITY 


Policy last updated: 20 December 2018 


1. The scope of this privacy policy 
As a pharmaceutical company, we are obligated to: 


e provide medical information to unsolicited requests; and 
e respond to quality complaints. 


Those obligations require us to process certain personally-identifiable information (“Personal Data”) to 
respond to questions from the public and healthcare professionals and follow-up and gather 
information on any complaints or concerns about the quality of our products (which may include 
checking whether any reports or information that we receive are unique, or whether they are duplicates 
or previous reports) (the “Purposes”). This policy is designed to provide a summary of how we process 
Personal Data for the Purposes, in line with our obligations under the EU General Data Protection 
Regulation ((EU) 2016/679) (“GDPR”). 


2. Pharmacovigilance 

We also have pharmacovigilance obligations to report suspected adverse reactions or events, and how 
the company receives them, to relevant regulatory authorities (which is outside the scope of this policy). 
For information about how we may use your Personal Data in connection with our pharmacovigilance 
activities, please see our separate privacy policy here 


3. Controller and how to contact us 

For the purposes of the GDPR, Bayer is the “data controller” in respect of the Personal Data processed 
for the Purposes. If you have any questions about this policy or about how we use your Personal Data, 
please contact us via our contact details at the end of this policy. 


4. Personal Data we process for the Purposes 

We will only process your Personal Data for the Purposes where necessary for compliance with our legal 
and regulatory obligations, and for the purposes of our legitimate interests in providing you with 
information about our products, or responding to any complaints or concerns that you have in relation 
to our products. 


We may need to process the following Personal Data about a patient in order to comply with our 
legal obligations, for example to respond to a request or information received from a healthcare 
professional or patient, or to make an effective safety data analysis and to comply with the 
Purposes: 


e Patient name and / or initials; 
e Unique identification number (e.g. National Insurance or NHS number); 
e Date of birth / age group; 


e Sex; 

e Weight; 
e Height; 
e Ethnicity; 


e Medical history; 

e Medical status; 

e Email address / online identifier; 
e Residential address; 


e Telephone and /or mobile number; 

e Voice recordings (e.g. taped telephone conversations); 
e Photos / videos (if you provide these to us); 

e Religious or philosophical beliefs; 

e Sex life / sexual orientation; 

e Genetic / biometric data; and 

e Personal data relating to children. 


Please note that we collect and process the minimum Personal Data necessary in order to comply with 
our legal obligations and fulfil our legitimate interests in respect of the Purposes. 


We also process Personal Data related to the reporter of any information received, or individual who 
has requested information, which may be a healthcare professional or provider, family member or 
patient. This Personal Data includes name and contact details (including name, job title, clinic / 
institution name and address, email address, telephone number, fax number). We require this 
information in order to follow-up with the relevant individual, as necessary, to ensure complete and 
accurate data are collected, and to ensure that any reports or information we receive are unique, or 
whether they are duplicates or previous reports. 


5. Use of your Personal Data for the Purposes 
We will only use your Personal Data where the law allows us to and in order to comply with the 
Purposes. 


6. Sharing/disclosure of your Personal Data for the Purposes 
We do not disclose or share any Personal Data for the Purposes except as permitted by law or as set 
out below. 


We will disclose Personal Data in respect of a quality complaint to relevant regulatory authorities 
if necessary and as required to fulfil our legal and regulatory obligations. 


We will share your Personal Data within the Bayer group as necessary for the Purposes. 


We will also share Personal Data processed for the Purposes as necessary with our third party 
service providers who provide services or functions on our behalf. These third party service 
providers may include database providers, call centre operators, and in the event that you disclose 
your Personal Data to our market researchers, that particular market research provider. Please note 
that we have appropriate data protection safeguards in place with our third party service providers 
with whom we share Personal Data and who are providing services or functions on our behalf. 


7. Keeping your Personal Data secure 

We have implemented appropriate technical and organisational measures to safeguard Personal 
Data processed for the Purposes, including safeguards and procedures designed to restrict access to 
Personal Data to those employees who need it to perform their job responsibilities. 


We maintain physical, electronic and procedural safeguards that comply with applicable law, 
including the GDPR, to safeguard Personal Data from accidental loss, destruction or damage and 
unauthorised access, use and disclosure. 


8. Retention periods for use of your Personal Data 
We will use and store your Personal Data only for as long as necessary, bearing in mind the specific 
use of your Personal Data for the Purposes as described in this privacy policy and otherwise as 


communicated to you, and any mandatory legal requirements governing storage and reporting of 
information to which we are subject. 


We will delete permanently or anonymise any Personal Data which is no longer necessary. 


9. Access to and control over your Personal Data 

You have legal rights to the extent permitted under applicable law in relation to your Personal Data. 
You can ask the following questions, or take the following actions, at any time by contacting us via 
email: 


e see what Personal Data we hold about you (if any), including why we are holding it and who it 
could be disclosed to; 

e ask us to change / correct your Personal Data; 

e ask us to delete permanently your Personal Data; 

e object to the processing of your Personal Data; 

e ask us to restrict the processing of your Personal Data; 

e withdraw any consents you have given us to the processing of your Personal Data; and 

e express any concerns you have about our or third parties’ use of your Personal Data to your 
national data protection regulator. 


Please note that some of these rights may be limited in certain circumstances, for example where 
certain conditions have not been met under applicable law. 


10. Transfers of your Personal Data for the Purposes 

We may need to transfer your Personal Data within the Bayer group for the Purposes. We may also 
need to share your Personal Data with our third party service providers and regulatory bodies, as 
described above, which may be based outside the European Economic Area (“EEA”). 


Unless a legal derogation applies under applicable law, whenever we need to transfer your Personal 
Data out of the EEA for the Purposes, we ensure a similar degree of protection is afforded to it by 
ensuring that we have a data transfer agreement incorporating specific protective clauses approved 
by the European Commission in place with the recipient of the data, or we otherwise insert 
protective clauses into our agreements with third parties, or some other similar applicable 
international transfer protection mechanism is in place as permitted under the GDPR, to endeavour 
to ensure that the Personal Data transferred is processed in accordance with applicable law. 


11. Contact Us 
Our full details are: 


Bayer Public Limited Company 
400 South Oak Way 

Reading 

RG2 6AD 

UK 


Email address: dataprotection-uk-eire@bayer.com 
Telephone: +44 (0)118 206 3000 


